CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added 2026/05/06 6:28 p.m.•2 views

Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation

5.9AI score

Exploits0References2Affected Software1

Snyk•added 2026/05/06 6:28 p.m.•5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the TimesheetVoter::voteOnAttribute process. An attacker can access, modify, or delete timesheet records belonging to users outside their team by sending crafted API requests with sufficient privileges...

7.1CVSS5.8AI score

OSV•added 2026/05/05 8:53 p.m.•1 views

GHSA-3XC2-H5R3-WV3R Kimai vulnerable to formula Injection via tag names in XLSX export

Summary Any ROLEUSER can create a tag with a formula string as its name e.g. =SUM54+51 via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue joins tag names with implode and returns the result unchanged. OpenSpout promotes any...

6.8CVSS5.8AI score0.00034EPSS

Snyk•added 2026/05/05 8:53 p.m.•3 views

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection via the XLSX export process. An attacker can execute arbitrary formulas on the system of a user who opens the exported file by creating a tag with a formula string as its name and assigning it to a timesheet, which is then...

6.8CVSS6.1AI score0.00034EPSS

Exploits1References2

OSV•added 2026/02/11 3:30 p.m.•2 views

GHSA-9278-6HCJ-2P4J Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions

Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users...

Github Security Blog•added 2026/02/11 3:30 p.m.•3 views

Exploits1References7

Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions

Exploits1References7Affected Software1

OSV•added 2026/02/11 3:16 p.m.•2 views

CVE-2019-25317

5.4CVSS5.5AI score

Exploits0References4

NVD•added 2026/02/11 3:16 p.m.•3 views

CVE-2019-25317

6.4CVSS0.0001EPSS

Cvelist•added 2026/02/11 2:56 p.m.•19 views

CVE-2019-25317 Kimai 2- persistent cross-site scripting (XSS)

6.4CVSS0.0001EPSS

CVE•added 2026/02/11 2:56 p.m.•5 views

CVE-2019-25317

Kimai 2 is affected by a persistent cross-site scripting vulnerability in the timesheet description field, allowing SVG-based XSS payloads to be injected and executed as other users load the affected page. The issue enables arbitrary JavaScript execution in contexts where descriptions are viewed,...

Exploits1References4Affected Software1

Vulnrichment•added 2026/02/11 2:56 p.m.•4 views

CVE-2019-25317 Kimai 2- persistent cross-site scripting (XSS)

ATTACKERKB•added 2026/02/11 2:56 p.m.•3 views

CVE-2019-25317

6.4CVSS5.4AI score0.0001EPSS

Exploits1References4Affected Software1

Positive Technologies•added 2026/02/11 12:0 a.m.•3 views

PT-2026-7611

6.4CVSS5.4AI score0.0001EPSS

Exploits1References9

RedhatCVE•added 2026/01/21 12:30 a.m.•3 views

CVE-2025-67824

The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when t...

6.1CVSS5.8AI score0.00016EPSS

Exploits0References1

NVD•added 2026/01/20 4:16 p.m.•3 views

CVE-2025-67824

6.1CVSS0.00016EPSS

Cvelist•added 2026/01/20 12:0 a.m.•11 views

CVE-2025-67824

0.00016EPSS